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(U//FOUO) What have I learned in 
my first two years in 



IlYipbttant to understand the data that 
you are searching against 
(S//SI//REL) Important to understand the hidden 
treasures and nuances in various SIGDEV tools 



(U//FOUO) Nothing is 100%: there are always 
exceptions to the tools and the rules 
(S//SI//REL) Took a network view of VPNs 
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(TS//SI//REL)What Makes 
SIGDEV Analysis Challenging? 

(U//FOUO) Requires knowledge of 

" (s//si//rel) Access and collection 
=■ (s//si//rel) Network protocols 
" (s//si//rel) Routing 
=■ (ts//si//rel) Encryption 
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(U//FOUO) Challenges etc.... 



(TS//SI//REL) Technical jargon and abbreviations 
" IPSEC 
" IKE 
=* MPLS 
=* PSK 
=* PPTP 
=* L2TP 
^ GRE 

^ Cisco commands 
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(TS//SI//REL)Challenges etc.. 

(S//SI//REL) Tools 
=■ How to use them 
=■ Knowing that they exist 

=■ Multiple query languages 
- SQL for TOYGRIPPE 

" Oracle Text Query in DISCOROUTE 

= Quantity 
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(U//FOUO) Tools 

DISCOROUTE 
BLACKPEARL 
^ TOYGRIPPE 
GNETWORK GNOME 
NKB & RONIN 
XKEYSCORE 
TREASUREMAP 
RENOIR 
....and more.... 
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fs//si//REL) Building Network 

BLACKPE^KPE^ now|edge 



toygripp¥ )YGRIPPE 



xkeysco^ eyscore 



Maximize the overlap of the tools for 
success 




(S//SI//REL) 

DISCOROUTE 

NAC's router configuration database 
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(U//FOUO) DISCOROUTE 



(C) NAC project to acquire, parse, database 
and display configuration files from network 
devices 

(C) Allows analysts to mine device configs for 
SIGDEV discovery 

Router configs are a rich source 
of 

network and VPN information 
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(S//SI//REL) DISCOROUTE 



Q important because they all 
belong to a device and they all have a purpose in 
the network 



(S//SI//REL) Search for 
^ Endpoint IPs 
^ Loopback IPs 

^ Opposite end of a point-to-point connection 
^ IPs found in pings and telnets 
(S//SI//REL) Make note of the source and 
destination IPs of the config 
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(U//FOUO) DISCOROUTE 

(U//FOUO) Cou Searches 

(U//FOUO) IP Search 



(U//FOUO) Text Query 
(TS//SI//REL) Manifest Tag Selection 
=■ K - Crypto Keys 
= H - TAO Pop 
^ M - Multihop 
(S//SI//REL) VPN report 



(S//SI//REL) DISCOROUTE: Country 

Search 



(S//SI//REL) IPGeo lookup on every IP address 
that is parsed 

(S//SI//REL) Configs with only private IPs will 
not show up in the results of a country search 
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(s//si//rel) DISCOROUTE: Searching for IP 

(s//si//rel) TextAickkies^eS 

=* searches through the payload 

= If you only search using this field, then you will miss 
=* configs that have your IPs of interest as the source and 
destination address 

=* configs where your IP falls within the range of the interface mask 

(S//SI//REL) IP address field search 

^ searches through the parsed file 

= If you only search using this field, then you will miss configs with 
your IPs of interest in pings, telnets, arp commands 



DISCO ROUTE Search IFeb 
to 13 Apr: 



(S//SI//REL) 




in the payload 



^ 3 results 

(S//SI//REL) IP Address Search: searching for the IP in the 
parsed file 
=■ Exact IP search 
=■ De-duped by most recent 

=■ 28 results (27 had as the source IP) 

(S//SI//REL) Somalia Country search: 66 results 
(12 of those had a source IP of 



(S//SI//REL) Difference: IP was the source IP for configs more 
times than it occurred in the payload data 




(s//si//rel) Why fewer configs for 

in the country 



search? 



(S//SI//REL) 12 as opposed to 27 

(S//SI//REL) Geo location 

was Hong Kong for a period of time 

(S//SI//REL) Geo is assigned to router configs 
at the time of ingest and not changed if the IP 
location is corrected 




TSf/swRtL) Data Found in a Text Query: 
etwork IPs in a Huawei Config 

Current total sessions : 19 
udp public 





Press CTRL+K to abort 
Connected to^^^^H 
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(s//si//rel) DISCO ROUTE 



(TS//SI//REL 




the router 



(S//SI//REL) M - multihop router. The admin telnetted 
into a router and then telnetted again to another 
device. Potential goldmine of information about your 
network, but be careful when looking through them to 
make sure you are associating an IP with the correct 
device. 



(TS//SI//REL) K - crypto keys 



(s//si//rel) VPNs in Router 
Configs 

(ts//si//rel) DISCOROUTE sets manifest tags to 
'K' for configs with crypto information 
(s//si//rel) Separate parsers developed for each 
vendor to pull out the endpoints and the pre- 
shared keys 
Cisco 
Huawei 
"'Juniper 



(s//siy/KEL) VPN Information in a Cisco 

(S//SI//REL) Endpoint (EOFtfitfJand Description Fields 

crypto isakmp key VpnsAreCool address 
crypto map VPNS-ROCK 10 ipsec-isakmp 

peer^^^^^^B 

interface Tunnell 

description Tunnel TO theStars 
bandwidth 512 
address 

ip tcp adjust-mss 1350 
load-interval 30 keepalive 5 2 
tunnel source 
tunnel destination 
crypto map VPNS-ROCK 



(s//si//rel) VPN Information in a 

(S//SI//REL) Netstri^j^y^rr^m^^^J^VIP Community & 




omain Names 



Username deb privilege 5 password 7 
082C495A0C1617 



snmp-server community dancer RW 70 
snmp-server community tangosnmp RW 60 



ip domain name lifesabeach 



^rs//si//REL) VPN Information in a 

ike proposal 60 authentication-a[g^itflir| mdSj a I 1 r\ f I /"N 

ike peer e — - More — -.[42D .[42D^ *** Cl VV Cl U I I II Lj 

exchange-mode aggressive pre-shared-key GoHokies 
ike-proposal 60 
undo version 2 
local-id-type name 
remote-name svn 
remote-address 

remote-address authentication-address 
nat traversal 

# ipsec proposal GoHokies 

# ipsec policy helloworld 60 isakmp 
security acl 3060 

ike-peer proposal GoHokies 

# interface Virtual-Templatel — - More — -.[42D .[42D 
address 

remote address pool 1 

# interface GigabitEthernet0/0/0 
address 

# interface GigabitEthernet0/0/l 
description GigabitEthernet0/0/l Interface 

address 

ipsec policy helloworld 



(s//si//rel) VPN Information in a Juniper 
Config 

set ike gateway "BadguyVPN" address Main outgoing-interface "untrust" preshare 

"xGe7YOYfNx3DNGsp4GCq+fgCdondsCBQtVwo/3YfCvbR7zJyDUewVD4= " proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "BadguyVPN" cert peer-ca all 

set ike gateway "BadguyVPN Backup" address Main outgoing-interface "untrust" preshare 
"YWZpKbUvNGQvCbsiXdCwv3pxRDnl_EAxo9877SfJFLBgg9utCdSyYPPI = " proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "To Mouse" address Main outgoing-interface "untrust" preshare 
"fn3VG5ElNI+amHsDeyChciqYVHnuTsbj4w= = " proposal "pre-g2-3des-sha" 

set ike respond-bad-spi 1 

set vpn "BadguyVPN" gateway "BadguyVPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" 
set vpn "BadguyVPN" monitor optimized rekey 
set vpn "BadguyVPN" id 5 bind interface tunnel. 3 

set vpn "backup BadguyVPN" gateway "BadguyVPN Backup" no-replay tunnel idletime 0 proposal "nopfs-esp- 
3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" 
set vpn "backup BadguyVPN" monitor optimized rekey 
set vpn "backup BadguyVPN" id 4 bind interface tunnel. 1 

set vpn "From Rat" gateway "To Mouse" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" 
set vpn "From Rat" monitor optimized rekey 
set vpn "From Rat" id 6 bind interface tunnel. 2 



(s//si//REL) VPN Report Search 



(S//SI//REL) Some of 




hat you can search 



in... 

^ Country 
= IP Address 
^ SIGAD/Case Notation 
^ Descriptions: crypto map and interface 
^ Netstrings: Username, Domain Name 
=■ Pre-shared keys 
^ Device Hostname 
; TAO Project Name 




(S//SI//REL) 
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DISCOROUTE VPN 

Drvnrv rf 



d i ck to ed i t Master text 



Query Reports H*t Network Mgmt Query Wiki Feedback 



VPN Report Form 



Second levet 
Third level 
i£ Fourth level 



Route Reports 



Start Date: [ 2012- 03-14 00: 

End Date: [ 2012-04-13 23: 59:59 

® DOI O Load Date O Entire Database^ Fifth level 



IP Address 

IP Address: § 

□ Tunnel Source 

□ Tunnel Dest 

□ Interface 



□ VPN Source 

□ VPN Remote 



TAO Project Name ®: 



| Generate Report | Generate Report in New Window | | Clear Panel i 



Powered by the S1GDEV Lab 
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(5//SI//REL) VPN Report 




LoopbackO 

FastEthernetO/O 

FastEthernetO/1 

SerialO/l/O 



Network Mask Description 
[ 255.2SS.255.2SS [ voice traffic 
[2 55.255,255.240 Connected To ASA/Firewall 

| : V F c- 0 f;rr lomaffd To ?M? D5L 

( 255.25S.25S.240 Connected To DVB 





VPN Peers 



SerialO/l/O 
Tunnell 
SerialO/l/O 
i Tunnell 
BerialO/l/O ~ 

Tunnell 

S erialO/l/O 

ITunnell 



Router IP Remote IP 




VPN Type PSKs Description 



psec 


IblBaqhdad 


psec 


IblvoiceVpn 


psec 


IbIBaghdad 




IblvoiceVpn 


psec 


IbIBaghdad 


psec 


IblvoiceVpn 


psec 


IblBaqhdad 




IblvoiceVpn 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 






(s//si//rel) VPN Report 



hUjQls L} Use the VPN report as a start but not as the 
final answer for VPNs from a country or a SIGAD 
(C) Query in different ways to make sure you get as much 
of the data as possible 



(TS//SI//REL) Depending on your scenario you may want to 
start with a country search, an IP range or a descriptive 
term 



VPN Peers Section contains the 
endpoint IPs for your VPN which 
can be entered into TOYGRIPPE 




(S//SI//REL) Description &Net Strings 
Searches 



(s//si//rel) Suppose you do a general VPN report 
query 

^ Search by country 
^ Search by SIGAD 
(s//si//rel) Find a VPN of interest 
(s//si//rel) Analyze the NetStrings and the 
description fields 
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(S//SI//REL) NetStrings 




n//REtJ Dt3 a follow-on VPN report using a 
netstring specific to your network 
^ Snmp community string: pegasus 
^ Domain name: badguy.com 
^ Username 



(S//SI//REL) Search ROYALNET 
^Analytics to find other netstrings related to your 
target 

^Analytics to find links likely to carry your 
target's communications 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




(U//FOUO) 

BLACKPEARL 



(S//SI//REL) NAC tool enabling automated DNI link and 
network characterization against survey collection 
across the SIGINT system 
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(S//SI//REL) 



BLACKPEARL 




(a//FOlJCr) General Query 
(S//SI//REL) Customized reports 
^VPN report 
^ DNI Access Essentials 
^ MPLS report 
^ Five Tuple Report 
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(S//SI//REL) BLACKPEARL IP 



" Interface IPs 
" Loopback IPs 

^ Source or destination IPs of the router config 
file 

^ Inner network IPs 
^ Analyze other IPs on the link 
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(U//FOUO) BLACKPEARL 



^ (S//SI//REL) Search 'All traffic' and include 
subchannels and tunnels if no results found 
under limited search 

=■ (S//SI//REL) If link is identified as MPLS then 
look at the other IPs in inner labels, if present 

=* (S//SI//REL) Use BLACKPEARL for finding 
access and gathering information on your 
network 



(S//SI//RED Search for Inner 
Tunneled IPs 

(S//si//rel) Query BLACKPEARL with an endpoint 
IP 

^ Find other tunneled IPs - inner network IPs that 
you can do follow on searches 

(S//si//rel) Query DISCOROUTE with any new IPs 
found 

(ts//si//rel) Success: Discovered information on 
Somalia's Hormuud network 



(ts//si//rel) Example: Hormuud 
Network 



(S//SI//REL) Began with loopback IPs from a 
spreadsheet 




(S//SI//REL) Found configs for 2 of the 12 
loopbacks in a text query in DISCOROUTE 



ar| d 

but not parsed 



were in the payload 



(S//SI//REL) Took the IPs from those configs 
and found other configs, one with hostname 
'LNS' 
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(U) Example 




CS//SI 



KPEARL hit on LNS IP 



^ Inner IPs in L2TP tunnels 
^ DR search for inner IPs from the L2TP tunnels 
and found more configs 

(U//FOUO) Many of the configs were multi-hop 
(S//SI//REL) Information compiled forTAO 
^ ~400 IPs for over 50 devices 
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75tf£i//REL) BLACKPEARL Search: 




L2TP tunnel I j 

Nu mber of Five Tuples: 1 V_* I I \L?Kitallt)LJ<es£r 



# Source Address Dest Address 




l evel 



:ertesnr3i 



Dest Port Next Protocol % Packets 

4527 TCP (6) 100.0 




II 



# Pad 



43 



# Pad 

39 



L2TP tunnel 

Number of Five Tuples: 2 
Source Address 



Source Address = I 

24 total packets 

Dest Address Source Port 



Dest Port Next Protocol % Packets 

3078 TCP (6) 83.3 

3080 TCP (6) 16.7 



Content Steward:! 



I General Support: Contact the Mission Support Team| 
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"HS//S1//REL) BLACKPEARL MPLS 




79 3B 255 

lupin List (Infant stack 1046418, 7938): 

7211 255 

lupin Lilt (lobnl Hack 1046418, 7211): 

6660 255 

lupin LIH (lafaul stack 1046418, 6660): 

6306 255 

lupin List (label stack 1046418, 6306): 

* Source Address Dest Address 



7180 2SS 

• Tuple List (lebel stock 1046418, 7180): 

8120 2SS 

• Tuple List (lobel stock 1046418, 0120): 
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(U//FOUO) TOYGRIPPE 



(S//SI//REL) VPN Metadata Repository 
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( S//S I//R EL)Building VPN Network 
Knowledge 

(S//SI//REL)VPNs are part of a larger network 
(S//SI//REL)lnner or tunneled IPs are a peek 
inside the target's network 

(S//SI//REL)Beneficial to look beyond the 
endpoints of your VPN 

(S//SI//REL)Combine information from as many 
SIGDEV databases as you can 
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(U/FOUO) TOYGRIPPE 




ch 3 months at a time 



(U//FOUO) Keep going back in time if no results 
found 



(S//SI//REL) Take endpoint IPs found here and 
search in 

^ DISCOROUTE - device information 
^ BLACKPEARL -- inner tunneled IPs 
(S//SI//REL) Country report 



(u//Fouo) TOYGRIPPE 




note of other connections to the 
IP of interest and search for them separately 
(S//SI//REL) You might not find what you are looking 
for, but it still may be important 



(S//SI//REL) Convert the target domain name to 
hex and search for it in the idData field 



=■ badguy.com D 6261646775792e636f6d 
=■ (idData LIKE '%6261646775792e636f6d') 



(U//FOUO) Endpoint IP 




separately 



)Query each IP in TOYGRIPPE 



"'Try to determine the importance of the 
connections 



^ Note other VPN connections: all IPs are 
important until proven otherwise 



(TS//SI//REL)Success: Discovered Iranian 
corporate intranet 



Istanbul 



(S//SI//REL) Building a VPN 
Intranet: 

S'vrching back through 
x TOYGRIPP 1 ” m 



ji» <- 



Izmir 



? m « 



Ankara 







_> Armenia 



Tehran 



All branches of the same company, i ,P| south Korea 
Hub was in Tehran. 
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(577S1//REL) Finding Suspicious VPN 
Connections 




(TS//SI//REL)Two connections outside the target company 
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(S//SI//REL) Discovery of a Data 

Center 
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(s//si//rel) Discovery of a Data 
Center 



...and when I 
search in TOY 



did 



a follow 
GRIPPE for 



on 

IPC. 



...I 

VPN c 



onl/ 



found it 
Dnnections 



only 



established 
to IP A 



Later discovered that IP C belonged to a data center in 
another country 



t: 



v 



z 
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(S//SI//REL) Search for other 
end of the point-to-point 

(S//SI//REL) Wha(T0|^fr|agr0^0ip^/e VPN endpoints 

from a GNOME report or a TOYGRIPPE search 

(S//SI//REL) Search for that IP in the DISCOROUTE 

VPN report GUI - you don't find it 

(S//SI//REL) Try to search for the other end of what 

would be a point-to-point connection in DISCOROUTE 

to find the customer edge router 

(S//SI//REL) END GOAL: find more information about 

the network 
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(S//SI//REL) Customer Edge 
Routers 






(U//FOUO) NKB and 

RON I N 

(S//SI//REL) NKB is NSA's Network Knowledge Base 
delivering target communications’ DNI and 
enrichment data 

(S//SI//REL) RONIN is a device characterization 
database and one of the enrichments to NKB 
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(U//FOUO) NKB 



(S//SI//REL) RON IN data 
^ Server Analytics: VPN identified through 
application layer information in ASDF 
^ Wiki: VPN Metadata in ASDF 

"'VPN Analytics: endpoint in TOYGRIPPE 
^ Router Config: new descriptive information 
coming soon to include tunnel & VPN 
information for IPs 



^ Example: Kenya VPN IP 
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(TS//SI//REL) NKB Search for 



Ho' /irn i I r* 

U C > WCB: 



Interface ROUTER 



* 



Service 

Interface: ROUTER 


(D 


IP ROUTE: Routed By 


1 - 6 • 1 




Hardware 
Interface: ROUTER 


<D 


fast ethemetctP 


‘ ‘ 6 ‘ ■ 




Service 

Interface: SERVER 


GD 


vpntlKEvl 






Service 

Interface: SERVER 


( D 


VPN:ClSCO 


ffl 


vpi:Kvl 


Hardware 
Interface: ROUTER 


GD 








H ard w arc 
Interface ROUTER 


CD 


unknown: IP 




VPN:Ci±£0 


Hardware 
Interface: ROUTER 






ill 







InterfaceROOTER 



Interface :ROOT£R 



Interface: SERVER 



unknown: IP 



ROUTE touted 



serviced by intorfac 

■-'ontty * 

i • ■ 

description * — To DSL provider". 




2011-Od- 12 




.is serviced by interfai 
N.9 ... net*" cn the Cisco router 
", model “c870". with netmatk 
|and description To DSL provider" 



201 l-Oct-13 



i in a static route with a 
r outer "BP_AGG01” 

41 20AS2J 3S/32 w_as found as ttse IP for interface 

^L UrctJ -SEFVfcft. 
IP* 



2011-Sep-12 



vpd : IK Ev 1 



VPN:Ci«fl 



VTJC 



LQunt*lVS 
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(u//Fouo) G NETWORK 



(S//SI//REL) Tool used to extract and correlate 
information from a variety of NAC, SSG, SSO, NTOC 
and other metadata databases 
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(s//si//rel) Keep an Eye on the Entire 
Netblock 

=■ (S//SI//REL) Multiple VPNs for one 
target 

" different purposes 
= different clients 



(s//si//rel) GNOME Task: Private 
IP VPNs 

(S//SI//REL) Find a public IP associated with 
your private IP 
^ Loopback IP 
^Another interface IP 

(S//SI//REL) Use those for your GNOME report 
and look for your private IP on the same link 
(S//SI//REL) Data presented in the VPN tab in 
GNOME report is limited 
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(u//fouo) Network 
Patterns... 
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(s//si//rel) IP Patterns 

(S//SI//REL) Admins are people -- lean towards 
predictability in assignment of IPs to make 
their job easier 

(S//SI//REL) IP or a combination of the octets 
could be an indication of: 

^ network provider 
^ location 

^ specific purpose in the network 



(s//si//rel) Example #l:Private IP VPN 

(s//si//rel) 

• Second octet indicated the network provider 
^ 20 = network provider #1 

** 21 = network provider #2 

• Second and third octet = country 

^ 20.30 and 21.30 were the same country but different providers 

• 40 = individual target entity in that country 

(s//si//rel) Server side of the VPN: 

• Second octet indicated network provider 

^ 51= network provider #1 
* 52 = network provider #2 




Patterns 



(S//SI//REL) Public IP VPN: 




.# 



"'Third octet = country location of this IP (three 
possible) 

^ Fourth octet= country location of the other side 

of the VPN conn ection 

Analyzed the opposite side of this /24 
and identified the country for 167 4th 
octet values (out of 209) when this 
public IP connects to a private IP we 
know the country location of the private 
IP. 





(U//FOUO) Final Thoughts... 

(S//SI//REL) Just because you don't get results doesn't 
mean the answer isn't there 

If you’re looking for a connection from A to B and don't 
find it, then maybe you need to look for one from A to C 
to B 

(S//SI//REL) Try the query a different way 
=■ Widen the search either by wildcarding (if permitted) or 
by selecting a different drop-down option 
=■ Enter information in a different field 



(u//FOUO)Final Thoughts... 

(S//SI//REL) All IPs are important until proven otherwise 
^They all serve a purpose and belong to a device 
=■ Make note of what you find even if you don't know at the 
time what it means 

(S//SI//REL) Search for data even if results are unlikely 
(S//SI//REL) Don't necessarily discard dated information 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




(u7/fouo) Final 



Thoughts... 



=> (U//FOUO) Understand the data that you are searching and 
what the fields in the GUI are searching for 
=> (U//FOUO) Take an iterative approach: start searches wide, 
then narrow them down, then widen back out again 
=< (S//SI//REL) Bounce between the different databases and use 
the tools for every aspect of your network analysis 
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(s//si//rel) VPN SIGDEV: 
Build the network knowledge. 

(TS//SI//REL) Dig beyond paired collection, 
PSKs and persistence 

(S//SI//REL) Discovery of the inner IPs of the 
VPN is possible in ways other than decryption 

(S//SI//REL) Investigate device IPs 
(U//FOUO) Look for patterns 
(S//SI//REL) Discover the 'N' of your VPN 



(U//FOUO) Questions? 



SSG21 Net Pursuit 
Network Analysis Center 
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(S//SI//REL) 
Simplifying and 
Automating VPN 
SIGDEV 

SSG22 

Network Analysis Center 
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(U//FOUO) The Ultimate Goals 



(s//si//rel) Integrate VPN information into 
mainstream analytic tools and knowledge bases. 

(s//si//rel) Give analysts the ability to discover, 
develop, and track known targets using VPNs. 

(s//si//rel) Give analysts the ability to discover new 
targets using VPNs. 



(U//FOUO) 



'he Start . . 



(s//si//REL) Develop new corporate VPN tool 
(DARKSUNRISE). 

=■ Joint collaboration between CES and the NAC 
^ Take advantage of cloud architecture. 

=■ Strive to meet the needs of the entire VPN 
community. 



(U//FOUO) To The Cloud! 



(s//si//rel) Data stored in MDR-2, the 
corporate metadata repository. 

^ Stores one year of DNI metadata. 

^ Enables filtering, aggregating, and transforming 
large datasets quickly. 

^ Manage high data volumes. 

^ Answer VPN questions efficiently and easily. 



(s//si//rel) What are Some of the 
Needs of the VPN SIGDEV 

(s//si//rel) Answer VPN SIGDEV questions quickly. 

Community? 

(s//si//rel) Allow SIGDEVers to spend time analyzing data 
instead of gathering and processing the data first. 

(s//si//rel) Make VPN SIGDEV more widely understood by 
simplifying and automating the SIGDEV process. 

(s//si//rel) Robust Structure 

Allow for multiple VPN and network encryption 
pjOdtowaflsr incorporation of new analytics. 



(S//SI//REL) What are Some of the 

Questions? 

=• (s//si//rel) Basic Questions 
=• Is my target using a VPN? 

^ What are all of the VPNs from country 
BadGuyLand? 

=• Tell me all of the VPNs where domain = sita*. 

=* Tell me all of the VPNs where the vendor ID = 
Cisco. 



(S//SI//REL) What are Some of the 

(S//SI//REL) Speciali^l$@g:tc+© PIS? 

^ What are all of the VPNs that are bi-directional? 

^ What are all of the VPNs that are paired? 

Tell me all of the VPNs (and how many) that a particular 
VPN talks to (persistent hubs/centrality). 

^ What are all of the VPNs that are of interest (via Target 
Network Service)? 

What VPNs are associated to a router config? 

^ What are all of the VPNs that are persistent? 

^ For which VPNs do we have a PSK? 



(S//SI//REL) What are Some of the 

(S//SI//REL) S y n t iQ&MB 8 tri 0 ifrHi tifo n 

=• What are all of the VPNs that are bi-directional, 
persistent, and of interest? 

=• What are all of the VPNs that are paired, 
persistent, and for which we have a PSK? 

=* What are all of the VPNs from country 
BadGuyLand that are paired, associated to a 
router config, and of interest? 



(U//FOUO) DARKSUNRISE 



(U//FOUO) This is a prototype GUI. 

(U//FOUO) Comingg Fall 2012 
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fQ//Qi/mi=i > nARk^l IMRI^F 

He Edit few History Bookmarks Sols Help 

■ Virtual Private Network Working Group • ... | BoyalNet -Prototype- | [1 Free Form > BtACKPEABL - Molnfo , + 

<•'1 ^ w c la- 
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(TS//SI//REL) I he NKt3 Location Data 




B DNI Presenter -index BOtOYGRIPPE M XKEYSCORE [] dsridge 
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(TS//SI//REL) The IPSec Details Drilldown 
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(TS//SI//REL) Automatic Identification 

of 

-Ri rlirortinnnl \/PM^= 





(TS//SI//REL) Automatic Identification 

of 




(s//si//rel) The icon means this record hits 
against the Target Network Service (TNS). 



1 mmmiii 
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(TS//SI//REL) 



Automatic 

of 



Identification 
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(S//SI//REL) 



The Centrality Tab 



mBS 



(s//si//rel) Find all VPNs that talk to a 
base VPN. 

^ Discover persistent hubs. 

"'Can continue chaining outwards. 
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(S//SI//REL) The Centrality Tab 
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(S//SI//REL) The Centrality Tab 
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(S//SI//REL) The Centrality Tab 
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(S//SI//REL) The Centrality Tab 
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(U//FOUO) The Metrics Tab 



(s//si//rel) Count distinct VPN 
records, grouping them by one or 
more of the following attributes: 

" SIGAD 
^ Source 
^ VPN Type 
^ Case Notation 
^ Date 



(U//FOUO) The Metrics Tab : On e 




(ts//si//rel) Total number of VPN type per SIGAD. 








(U//FOUO) The Ultimate Goals 



(s//si//rel) Integrate VPN information into 
mainstream analytic tools and knowledge bases. 

(s//si//rel) Give analysts the ability to discover, 
develop, and track known targets using VPNs. 

(s//si//rel) Give analysts the ability to discover new 
targets using VPNs. 



(U//FOUO) Questions? 



SSG22 

Network Analysis Center 
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